lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix sql injection when forging requests with IN

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-18 17:47:40 +02:00
parent 4e2aff2cdc
commit b6c6473cce
13 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/propal/list.php
View File

@ -361,7 +361,7 @@ if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$db->escape(
if ($socid > 0) $sql .= ' AND s.rowid = '.$socid;
if ($search_status != '' && $search_status != '-1')
{
$sql .= ' AND p.fk_statut IN ('.$db->escape($search_status).')';
$sql .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')';
}
if ($search_date_start) $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'";
if ($search_date_end) $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'";

2
htdocs/comm/propal/stats/index.php
View File

@ -101,7 +101,7 @@ dol_mkdir($dir);
$stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0));
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
// Build graphic number of object
$data = $stats->getNbByMonthWithPrevYear($endyear, $startyear);

4
htdocs/commande/stats/index.php
View File

@ -94,11 +94,11 @@ dol_mkdir($dir);
$stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0));
if ($mode == 'customer')
{
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
}
if ($mode == 'supplier')
{
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
}

4
htdocs/compta/facture/stats/index.php
View File

@ -94,7 +94,7 @@ dol_mkdir($dir);
$stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0));
if ($mode == 'customer')
{
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
if (is_array($custcats) && !empty($custcats)) {
$stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)';
$stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')';
@ -102,7 +102,7 @@ if ($mode == 'customer')
}
if ($mode == 'supplier')
{
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
}
// Build graphic number of object

2
htdocs/core/class/html.form.class.php
View File

@ -2163,7 +2163,7 @@ class Form
{
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_product = p.rowid";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on ps.fk_entrepot = e.rowid AND e.entity IN (".getEntity('stock').")";
$sql .= ' AND e.statut IN ('.$this->db->escape(implode(',', $warehouseStatusArray)).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0.
$sql .= ' AND e.statut IN ('.$this->db->sanitize($this->db->escape(implode(',', $warehouseStatusArray))).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0.
}
// include search in supplier ref

2
htdocs/expensereport/stats/index.php
View File

@ -75,7 +75,7 @@ print load_fiche_titre($title, '', 'trip');
dol_mkdir($dir);
$stats = new ExpenseReportStats($db, $socid, $userid);
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
// Build graphic number of object
// $data = array(array('Lib',val1,val2,val3),...)

2
htdocs/fichinter/stats/index.php
View File

@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'intervention');
dol_mkdir($dir);
$stats = new FichinterStats($db, $socid, $mode, ($userid > 0 ? $userid : 0));
if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
// Build graphic number of object
$data = $stats->getNbByMonthWithPrevYear($endyear, $startyear);

2
htdocs/holiday/list.php
View File

@ -311,7 +311,7 @@ if (!empty($search_valideur) && $search_valideur != -1) {
}
// Type
if (!empty($search_type) && $search_type != -1) {
$sql .= ' AND cp.fk_type IN ('.$db->escape($search_type).')';
$sql .= ' AND cp.fk_type IN ('.$this->db->sanitize($db->escape($search_type)).')';
}
// Status
if (!empty($search_status) && $search_status != -1) {

2
htdocs/modulebuilder/template/class/myobject.class.php
View File

@ -426,7 +426,7 @@ class MyObject extends CommonObject
} elseif ($key == 'customsql') {
$sqlwhere[] = $value;
} elseif (strpos($value, '%') === false) {
$sqlwhere[] = $key.' IN ('.$this->db->escape($value).')';
$sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')';
} else {
$sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\'';
}

2
htdocs/recruitment/class/recruitmentcandidature.class.php
View File

@ -403,7 +403,7 @@ class RecruitmentCandidature extends CommonObject
} elseif ($key == 'customsql') {
$sqlwhere[] = $value;
} elseif (strpos($value, '%') === false) {
$sqlwhere[] = $key.' IN ('.$this->db->escape($value).')';
$sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')';
} else {
$sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\'';
}

2
htdocs/recruitment/class/recruitmentjobposition.class.php
View File

@ -396,7 +396,7 @@ class RecruitmentJobPosition extends CommonObject
} elseif ($key == 'customsql') {
$sqlwhere[] = $value;
} elseif (strpos($value, '%') === false) {
$sqlwhere[] = $key.' IN ('.$this->db->escape($value).')';
$sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')';
} else {
$sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\'';
}

2
htdocs/supplier_proposal/list.php
View File

@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur
if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1);
if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall);
if ($socid) $sql .= ' AND s.rowid = '.$socid;
if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->escape($search_status).')';
if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')';
$sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year);
$sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid);
if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;

2
htdocs/ticket/stats/index.php
View File

@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'ticket');
dol_mkdir($dir);
$stats = new TicketStats($db, $socid, ($userid > 0 ? $userid : 0));
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->escape($object_status).')';
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
// Build graphic number of object